An ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its inner map template. The flag allows a concrete inner array with a different max_entries value to replace the template.
The verifier currently uses the template's max_entries to elide nullness for a constant-key lookup through the inner map pointer. At runtime, the lookup uses the concrete inner array's max_entries instead. The verifier can therefore accept an unchecked dereference even though the runtime helper returns NULL. Patch 1 keeps lookups through BPF_F_INNER_MAP array templates nullable. Patch 2 adds a verifier regression test for the unchecked dereference. Before the fix, the regression program is accepted and the runtime reproducer triggers a NULL dereference. With the fix, both programs are rejected with an invalid map_value_or_null access. Tested by compiling kernel/bpf/verifier.o and verifier_map_in_map.bpf.o, and by running the regression program and runtime reproducer in QEMU before and after the fix. Signed-off-by: Nuoqi Gui <[email protected]> --- v1->v2: - Update the can_elide_value_nullness() comment to match the changed parameter (const struct bpf_map *map). v1: https://patch.msgid.link/[email protected] To: Alexei Starovoitov <[email protected]> To: Daniel Borkmann <[email protected]> To: Andrii Nakryiko <[email protected]> Cc: Daniel Xu <[email protected]> Cc: Eduard Zingerman <[email protected]> Cc: John Fastabend <[email protected]> Cc: Martin KaFai Lau <[email protected]> Cc: Kumar Kartikeya Dwivedi <[email protected]> Cc: Song Liu <[email protected]> Cc: Yonghong Song <[email protected]> Cc: Jiri Olsa <[email protected]> Cc: Shuah Khan <[email protected]> Cc: Ihor Solodrai <[email protected]> Cc: [email protected] Cc: [email protected] Cc: [email protected] --- Nuoqi Gui (2): bpf: Keep dynamic inner array lookups nullable selftests/bpf: Cover dynamic inner array lookup nullability kernel/bpf/verifier.c | 15 ++++---- .../selftests/bpf/progs/verifier_map_in_map.c | 40 ++++++++++++++++++++++ 2 files changed, 49 insertions(+), 6 deletions(-) --- base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d change-id: 20260606-f01-v2-324fb92185a2 Best regards, -- Nuoqi Gui <[email protected]>
